Community discussions

MikroTik App
 
Fesiitis
newbie
Topic Author
Posts: 45
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

RB760iGS on ROSv7 cannot access IPsec resources from road warrior VPN

Sun Aug 14, 2022 5:16 am

Hi,

After upgrading hEX S (RB760iGS) to ROSv7, I can no longer access resources behind IPsec tunnels from IKEv2 RSA road warrior VPN. It was possible on ROSv6.
I have tried reseting the hEX S router to default settings on ROSv7 and configuring it for my needs from sratch but no change. If I downgrade the hEX S back to ROSv6, the problem disappears, i.e. I again can connect to IPsec resources from IKEv2 RSA road warrior VPN.
At the same time, with literally identical configuration on RB5009UG+S+IN and CCR2004-1G-12S+2XS, running with ROSv7, I don't have such a problem.
I've compared the configuration from all three routers, but I haven't noticed anything different on hEX S default configuration that could cause this problem. So I'm out of ideas of what to really do.
This is my configuration -
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/ip ipsec policy group
add name="IKE2 RSA"
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name="Tunel"
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name="IKE2 RSA"
/ip ipsec peer
add address=XX.XX.XX.XX/32 exchange-mode=ike2 local-address=XX.XX.XX.XX \
    name="Tunel" profile="Tunel"
add exchange-mode=ike2 local-address=XX.XX.XX.XX name="IKE2 RSA" passive=\
    yes profile="IKE2 RSA"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\
    "Tunel"
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name="IKE2 RSA" \
    pfs-group=none
/ip pool
add name=dhcp ranges=10.23.32.2-10.23.32.21
add name="IKE2 RSA" ranges=10.29.9.4-10.29.9.14
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2d name=dhcp
/ip ipsec mode-config
add address-pool="IKE2 RSA" address-prefix-length=32 name="IKE2 RSA" \
    static-dns=XX.XX.XX.XX system-dns=no
/port
set 0 name=serial0
/certificate settings
set crl-use=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.23.32.1/24 interface=bridge network=10.23.32.0
add address=XX.XX.XX.XX/24 interface=ether1 network=XX.XX.XX.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.23.32.0/24 dns-server=XX.XX.XX.XX \
    gateway=10.23.32.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=XX.XX.XX.XX
/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Allow IPsec ISAKMP and NAT-T" \
    dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow IPsec ESP" in-interface-list=WAN \
    protocol=ipsec-esp
add action=drop chain=input comment="Router fw input drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Router fw forward accept in IPsec" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw forward accept out IPsec" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Router fw forward fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="Router fw forward accept all active" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Router fw forward drop all from WAN not dstnated" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="Tunel" dst-address=\
    10.12.14.0/24 src-address=10.23.32.0/24
add action=accept chain=srcnat dst-address=10.12.14.0/24 src-address=\
    10.29.9.0/28
add action=masquerade chain=srcnat comment="Router fw masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-strict peer="Tunel" secret=\
    "verysecurepassword123"
add auth-method=digital-signature certificate="IKE2 RSA server" \
    generate-policy=port-strict match-by=certificate mode-config="IKE2 RSA" \
    peer="IKE2 RSA" policy-template-group="IKE2 RSA" remote-certificate=\
    "Client"
/ip ipsec policy
add dst-address=10.12.14.0/24 peer="Tunel" proposal=\
    "Tunel" src-address=10.23.32.0/24 tunnel=yes
add dst-address=10.12.14.0/24 peer="Tunel" proposal=\
    "Tunel" src-address=10.29.9.0/28 tunnel=yes
add dst-address=10.29.9.0/28 group="IKE2 RSA" proposal="IKE2 RSA" \
    src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.23.32.0/24,10.29.9.0/28
set ssh disabled=yes
set api disabled=yes
set winbox address=10.23.32.0/24,10.29.9.0/28
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe
/system identity
set name=Router
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

With hEX S on ROSv7 I can access IPsec resources from the local network and from the router itself, and I can also access resources on the local network from the road warrior VPN. But the mystery comes when I try to access IPsec resources from road warrior VPN. You can see the problem in the image below.
pingingipsec.png

Please help, I don't want to go back to ROSv6. :D
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Amazon [Bot], bertus, hatred and 90 guests